Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

P2P and IM blocking with ASA 5520 using GUI

Hi everyone,

We have an ASA 5520 working since somedays, and we want now to block IM and P2P network traffic through our firewall. We asked our distributor and they send us a link: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c38a6.shtml

In this link we have information about blocking such traffic by modifying directly in the running-config file. Our question is whether we can find or not a way to do it using the GUI. We will fell safer if we do it like this.

In case there is no chance to do it through GUI, how should I proceed to modify running-config file.

Thank you.

2 REPLIES
Bronze

Re: P2P and IM blocking with ASA 5520 using GUI

Here is a sample for blocking IM and P2P

------------------------------------------------------------------------------------------

Create a class-map for http inspection

pix(config)# class-map http-port

pix(config-cmap)# match port tcp eq 80

pix(config-cmap)# exit

Create an http-map to specify parameters for inspect http

pix(config)# http-map inbound_http

pix(config-http-map)# content-length min 100 max 2000 action reset log

pix(config-http-map)# content-type-verification match-req-rsp action reset log

pix(config-http-map)# max-header-length request 100 action reset log

pix(config-http-map)# max-uri-length 100 action reset log

pix(config-http-map)# port-misuse p2p action drop

pix(config-http-map)# port-misuse im action drop

pix(config-http-map)# port-misuse default action allow

pix(config-http-map)# exit

Create a policy-map for http inspection

*pix(config)# policy-map inbound_policy

pix(config-pmap)# class http-port

pix(config-pmap-c)# inspect http inbound_http

pix(config-pmap-c)# exit

pix(config-pmap)# exit

If necessary create a service-policy or use the default-inspection policy:

pix(config)# service-policy inbound_policy interface outside

Re: P2P and IM blocking with ASA 5520 using GUI

hi hadbou,

thank you very much for your answer.

There's just a little point on it. I'm able to create the class-map and the police map fine. Unfortunately when I tried to create an http-map to specify parameters for inspecting http I received the message"This command has been deprecated. Use 'policy-map type inspect http'" and at this point, I don't know how to go on.

I supposed I have a newer version, an such a command is not working any longer. how should I do it?

Thank you for your posts.

692
Views
0
Helpful
2
Replies
CreatePlease login to create content